The infection chain begins with the pseudoDarkleech script being injected into the compromised website. Below is an image of the websites source code which shows the injected script:

The URL within the <iframe> tag is used as the redirection mechanism for the Rig Exploit Kit landing page. Below are the requests and responses for the Exploit Kit landing page, Flash exploit, and payload (in that order):

This time the server sent an executable called “radDA159.tmp.exe”. The file description of the executable is “NirCmd”, which is a Windows command line tool. They are even giving the malicious executable an icon. See the images below:

There were also ransom notes (Bitmap, HTML, and Text) dropped in various folders. Oddly enough I didn’t get the usual .html and .txt ransom notes on the Desktop, only the image changed.